Created
April 26, 2022 21:53
-
-
Save chrismaddalena/efb1caa5ccb539fad4b1d7a0f2e7588b to your computer and use it in GitHub Desktop.
Basic Script for Finding Admin User Sessions in BloodHound
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################################################################## | |
# # | |
# Locate accounts with a specific suffix or prefix and fetch their regular accounts # | |
# to identify user sessions for both accounts. Then output a JSON file that details # | |
# session data for these accounts. # | |
# # | |
# Useful if you are looking for computers used by the target users. # | |
# # | |
########################################################################################## | |
import json | |
from neo4j import GraphDatabase | |
driver = GraphDatabase.driver("bolt://127.0.0.1:7687", auth=("neo4j", "password")) | |
session = driver.session() | |
counter = 0 | |
admin_users = {} | |
# Get all users with `-ADM` suffix | |
query = """ | |
MATCH (u:User) WHERE u.name =~ ".*-ADM@.*" | |
RETURN u.name AS name | |
""" | |
results = session.run(query) | |
for user in results: | |
# Store the `-ADM` username | |
adm_username = user["name"] | |
# Drop the `-ADM` to get their regular accounts | |
username = user["name"].replace("-ADM@", "@") | |
# Get all sessions and computers for these accounts | |
query = """ | |
MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name | |
""" % username | |
reg_results = session.run(query) | |
reg_sessions = [record["name"] for record in reg_results] | |
query = """ | |
MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name | |
""" % adm_username | |
adm_results = session.run(query) | |
adm_sessions = [record["name"] for record in adm_results] | |
admin = False | |
adm_sessions = [] | |
query = """ | |
MATCH (u:User {name:"%s"}) RETURN u.name AS name | |
""" % adm_username | |
adm_results = list(session.run(query)) | |
if adm_results: | |
admin = True | |
query = """ | |
MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name | |
""" % adm_username | |
adm_results = session.run(query) | |
adm_sessions = [record["name"] for record in adm_results] | |
else: | |
adm_username = "" | |
if reg_sessions or adm_sessions: | |
admin_users[counter] = {} | |
admin_users[counter]["reg"] = username | |
admin_users[counter]["sessions"] = reg_sessions | |
admin_users[counter]["adm"] = adm_username | |
admin_users[counter]["adm_sessions"] = adm_sessions | |
admin_users[counter]["admin"] = admin | |
admin_users[counter]["adm"] = adm_username | |
admin_users[counter]["adm_sessions"] = adm_sessions | |
counter += 1 | |
# Clean up neo4j session | |
session.close() | |
driver.close() | |
with open("admin_users.json", "w") as f: | |
f.write(json.dumps(admin_users, indent=4)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment